Last modified: 2013-12-04 20:04:27 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T32714, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 30714 - Throwing an exception in User::setPassword() will expose the password
Throwing an exception in User::setPassword() will expose the password
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.22.0
All All
: Normal normal (vote)
: ---
Assigned To: Alex Monk
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-02 23:19 UTC by Chad H.
Modified: 2013-12-04 20:04 UTC (History)
9 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Chad H. 2011-09-02 23:19:45 UTC
If you throw an exception inside of User::setPassword(), you'll end up with an entry like this in your logs:

#0 /path/1.18wmf1/includes/specials/SpecialUserlogin.php(413): User->setPassword('passwordzomg')

This is pretty bad, since we don't want to leak a user's password to system administrators.
Comment 1 Brion Vibber 2011-09-06 18:38:41 UTC
This sort of thing is why we have display of exception details to output off by default. :P

This is alas a fairly general problem with PHP's backtrace generation -- it adds in parameters values which are sometimes helpful, often hugely verbose, and sometimes insanely insecure.

Not sure if we can remove the args from the trace as such, though we probably can by changing manual exception handling to do our own logging also, if we haven't already...
Comment 2 Chad H. 2011-09-06 19:45:02 UTC
(In reply to comment #1)
> This sort of thing is why we have display of exception details to output off by
> default. :P
> 

Right, so this doesn't really affect most non-development installs. But still, gives me the willies!

> This is alas a fairly general problem with PHP's backtrace generation -- it
> adds in parameters values which are sometimes helpful, often hugely verbose,
> and sometimes insanely insecure.
> 
> Not sure if we can remove the args from the trace as such, though we probably
> can by changing manual exception handling to do our own logging also, if we
> haven't already...

Right, I knew it was PHP's problem, but I wasn't sure if we could do anything here. I figured we could keep a list of functions to keep the parameters blacklisted from, but I'm afraid it would be a game of whack-a-mole.
Comment 3 Chad H. 2011-09-10 00:45:30 UTC
As a quick thought on this: we could potentially mask *all* params in the stack traces (rather than playing whack-a-mole with potentially unsafe entries), and hide them behind another setting ($wgShowStacktraceDetails) with a very clear comment that it should almost never be enabled on a production site?
Comment 4 Mark A. Hershberger 2011-10-03 21:55:20 UTC
+1 to Chad.  As an aside, it looks like vbulletin's backtrace stuff
somehow overrides installation path information in non-debug output
with [path].  So obfuscation is possible, not sure *how* just yet, or
how robust it is.
Comment 5 Tim Starling 2012-03-19 09:08:27 UTC
I don't understand why this is a security issue. What sort of system administrator would have access to the logs but not to any of the other ways to get a user's password?
Comment 6 Chad H. 2012-03-19 12:05:34 UTC
I was probably just being paranoid. We can move this out of security and into the general bug pool.
Comment 7 Mark A. Hershberger 2012-03-19 17:17:17 UTC
(In reply to comment #6)
> I was probably just being paranoid. We can move this out of security and into
> the general bug pool.

Moving
Comment 8 Gerrit Notification Bot 2013-05-17 22:16:10 UTC
Related URL: https://gerrit.wikimedia.org/r/64450 (Gerrit Change I0a9e92448f8d9009dd594cb4d7f5dc6fdd4bcc86)
Comment 9 Gerrit Notification Bot 2013-05-20 16:21:57 UTC
Related URL: https://gerrit.wikimedia.org/r/64590 (Gerrit Change I76c3bc41cda004f00d12d46015455cd9ea79578b)
Comment 10 Gerrit Notification Bot 2013-09-21 02:11:51 UTC
Change 64590 merged by jenkins-bot:
Redact certain function parameters from exception stack traces

https://gerrit.wikimedia.org/r/64590
Comment 11 Gerrit Notification Bot 2013-09-21 02:14:38 UTC
Change 64450 merged by jenkins-bot:
Add a way to redact certain function parameters from exception stack traces

https://gerrit.wikimedia.org/r/64450
Comment 12 James Forrester 2013-09-21 06:12:56 UTC
Is this now closable?
Comment 13 Alex Monk 2013-09-21 16:53:16 UTC
Not quite it seems:

#1 /var/www/MediaWiki/Git/core/includes/specials/SpecialChangePassword.php(84): SpecialChangePassword->attemptReset('REDACTED', 'My password was here')

Just need to modify the line in DefaultSettings.php to include that second parameter.
Comment 14 Gerrit Notification Bot 2013-09-21 17:04:58 UTC
Change 85437 had a related patch set uploaded by Alex Monk:
Redact second parameter of SpecialChangePassword::attemptReset by default in stack traces

https://gerrit.wikimedia.org/r/85437
Comment 15 Gerrit Notification Bot 2013-10-29 01:09:58 UTC
Change 92472 had a related patch set uploaded by Chad:
Revert "Add a way to redact certain function parameters from exception stack traces"

https://gerrit.wikimedia.org/r/92472
Comment 16 Gerrit Notification Bot 2013-10-29 13:36:39 UTC
Change 92472 abandoned by Hashar:
Revert "Add a way to redact certain function parameters from exception stack traces"

Reason:
Follow up in https://gerrit.wikimedia.org/r/#/c/92334/

https://gerrit.wikimedia.org/r/92472
Comment 17 Gerrit Notification Bot 2013-10-31 23:26:37 UTC
Change 85437 abandoned by Alex Monk:
Redact second parameter of SpecialChangePassword::attemptReset by default in stack traces

Reason:
It was decided that this system probably isn't a good idea

https://gerrit.wikimedia.org/r/85437
Comment 18 db [inactive,noenotif] 2013-12-04 20:04:27 UTC
Now fixed by I3d570a6385f96a606e1af53c50faa03b9ebacd38

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links